package com.cloud.monitor;

import com.cloud.common.constants.AuthBlankList;
import de.codecentric.boot.admin.server.config.AdminServerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;

/**
 * 监控Security 权限框架
 *
 * @author yzj
 */
@Configuration
public class MonitorConfiguration {

    private final String adminContextPath;

    public MonitorConfiguration(AdminServerProperties serverProperties) {
        this.adminContextPath = serverProperties.getContextPath();
    }

    @Bean
    public UserDetailsService securityUserDetails() {
        UserDetails userDetails = User.withDefaultPasswordEncoder()
                .username("admin").password("admin@147258").roles("admin").build();
        return new InMemoryUserDetailsManager(userDetails);
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // 配置SpringBootAdmin成功登录跳转地址
        SavedRequestAwareAuthenticationSuccessHandler authSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        authSuccessHandler.setTargetUrlParameter("redirectTo");
        authSuccessHandler.setDefaultTargetUrl(adminContextPath + "/");
        http.authorizeHttpRequests()
                .requestMatchers(HttpMethod.GET, "/", "/**.css", "/**.js", "/**.svg").permitAll()
                .requestMatchers(HttpMethod.OPTIONS, "/").permitAll()
                .requestMatchers(adminContextPath + "/login").permitAll()
                .requestMatchers(adminContextPath + "/assets/**").permitAll()
                .requestMatchers(adminContextPath + "/instances/**").permitAll()
                .requestMatchers(adminContextPath + "/actuator/**").permitAll()
                // 除上面外的所有请求全部需要鉴权认证
                .anyRequest().authenticated()
                .and().formLogin().loginPage(adminContextPath + "/login").successHandler(authSuccessHandler)
                .and().logout().logoutUrl(adminContextPath + "/logout")
                //指定退出成功后删除的cookie
                .deleteCookies("JSESSIONID").logoutSuccessUrl(adminContextPath + "/login")
                .and().httpBasic().and().csrf().disable();
        return http.build();
    }

    /**
     * 请求白名单过滤
     */
    @Bean
    public WebSecurityCustomizer securityCustomizer() {
        return (web) -> web.ignoring().requestMatchers(AuthBlankList.monitorBlankList());
    }

}
